Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Sneaky Web Tracking Technique Under Heavy Scrutiny by GDPR

Don’t expect tracking methods such as browser fingerprinting to disappear anytime soon, even with GDPR, warns the EFF.

What will new General Data Protection Regulation laws mean for websites that use sneaky web trackers such as browser fingerprinting to profile visitors? Privacy experts say the practice is likely illegal under the newly-enacted GDPR regulation. But they also say don’t expect the method of tracking users to disappear anytime soon, said the Electronic Frontier Foundation in a report issued Tuesday.

Using the HTML5 framework, websites are able to identify users (or a browser image) not by cookies, but the unique characteristics of a browser such as fonts, SVG widgets and WebGL—for starters. The technique is called browser fingerprinting or canvas fingerprinting. Websites harvest the browser data to produce a single, unique identifier to track users across multiple websites without any actual identifier persistence on the user’s machine.

While widespread regulations and laws – including the ePrivacy Directive and the recently enforced General Data Protection Regulation laws – could address browser fingerprinting, websites participating in this practice “will try to skirt this law,” Bill Budington, senior staff technologist at the EFF, told Threatpost.

“Looking at how web fingerprinting techniques have been used so far, it is very difficult to imagine companies moving from deliberate obscurity to full transparency and open communication with users,” he said in a post, written along with Katarzyna Szymielewicz, co-founder and president of the Panoptykon Foundation. “Fingerprinting companies will have to do what their predecessors in the cookie world did before now: face greater detection and exposure by coming clean about their practices, or slink even further behind the curtain, and hope to dodge European law.”

Browser fingerprinting is a handy tool for marketers. Browser fingerprinting can identify users over time, track them across websites, and store that information in their servers to build an advertising profile of them.

That’s separate from cookies, which can be deleted by the user. Interestingly, browser fingerprinting can be used to recreate a tracking cookie for a user after the user knowingly become aware of the cookie and deleted it.

The Impact of Existing Regulation

GDPR rules, which went into effect May 25, have left privacy experts scratching their heads about what the data privacy protection crackdown means for methods such as browser fingerprinting.

GDPR doesn’t specifically call out fingerprinting – instead using “neutral language” that can quickly adapt to new emerging technologies or methods in the future, Budington said.

“Fingerprinting can be used to identify users, and the individual characteristics of the browser can be identifiable via this method… That requires basic interactive consent of the user,” said Budington. “Under GDPR, you would need a clear way to mark that you consent to the tracking.”

That path won’t be easy for browser fingerprinters to get the green light by EU regulators, the EFF said in its post.

Companies using browser fingerprinting would have to first reveal the fingerprinting before it is executed and secondly wait for users to give their informed consent. Sites that relied on fingerprinting would also need to lay out a “legitimate interest argument for end users,” meaning that it would need to prove that its interest in tracking is not overriding the rights of users to data privacy.

The site would also need to share detailed information to users subjected to fingerprinting about the purpose and legal basis of such data processing, said Budington.

On top of GDPR, another data privacy protection law exists called the ePrivacy Directive (aka “the cookie clause”) which sets conditions on the use of device and browser identifiers.

“This is something that is an additional standard above and beyond GDPR,” Budington told Threatpost. As it stands, one specific part of the ePrivacy Directive shows that device fingerprinting requires user consent:

“Parties who wish to process device fingerprints which are generated through the gaining of access to, or the storing of, information on the user’s terminal device must first obtain the valid consent of the user (unless an exemption applies).”

However, the EU is expected to pass an updated ePrivacy Regulation in 2019 that may hone in on browser fingerprints and offer more direct definitions of user data privacy consent.

While GDPR and the ePrivacy Regulation both address browser fingerprinting, there’s no evidence in practice that these rules would ultimately end sneaky browser practices like this method.

However, many non-EU sites who track individuals in Europe using fingerprinting may ignore these laws under the belief that they can escape the consequences, Budington said.

“There’s nothing legitimate about this method of tracking: that’s what privacy laws like the GDPR recognize, and that’s what regulators will act upon,” Budington said in the post. “Before we see results of their actions, browser companies, standards organizations, privacy advocates, and technologists will still need to work together to minimize how much third-parties can identify about individual users just from their browsers.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.